sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
Code

tests/krb5: Allow setting or resetting PAC flags

Browse Source 
This lets us test what happens when the flags in the PAC, such as
NETLOGON_RESOURCE_GROUPS, are given "interesting" values.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2022-12-12 11:08:28 +13:00 committed by Andrew Bartlett
parent 0245a588f4
commit 9a362f99e0
2 changed files with 63 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
python/samba/tests/krb5/group_tests.py
View File

@ -115,7 +115,9 @@ class GroupTests(KDCBaseTest):
ticket, ticket,
new_sids, new_sids,
domain_sid, domain_sid,
user_rid): user_rid,
set_user_flags=0,
reset_user_flags=0):
krbtgt_creds = self.get_krbtgt_creds() krbtgt_creds = self.get_krbtgt_creds()
krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
@ -126,7 +128,9 @@ class GroupTests(KDCBaseTest):
modify_pac_fn = partial(self.set_pac_sids, modify_pac_fn = partial(self.set_pac_sids,
new_sids=new_sids, new_sids=new_sids,
domain_sid=domain_sid, domain_sid=domain_sid,
user_rid=user_rid) user_rid=user_rid,
set_user_flags=set_user_flags,
reset_user_flags=reset_user_flags)
return self.modified_ticket(ticket, return self.modified_ticket(ticket,
modify_pac_fn=modify_pac_fn, modify_pac_fn=modify_pac_fn,
@ -137,7 +141,9 @@ class GroupTests(KDCBaseTest):
pac, pac,
new_sids, new_sids,
domain_sid, domain_sid,
user_rid): user_rid,
set_user_flags=0,
reset_user_flags=0):
base_sids = [] base_sids = []
extra_sids = [] extra_sids = []
resource_sids = [] resource_sids = []
@ -225,6 +231,9 @@ class GroupTests(KDCBaseTest):
logon_info.info3.base.user_flags &= ~( logon_info.info3.base.user_flags &= ~(
netlogon.NETLOGON_RESOURCE_GROUPS) netlogon.NETLOGON_RESOURCE_GROUPS)
logon_info.info3.base.user_flags |= set_user_flags
logon_info.info3.base.user_flags &= ~reset_user_flags
found_logon_info = True found_logon_info = True
# Also replace the user's SID in the UPN DNS buffer. # Also replace the user's SID in the UPN DNS buffer.
@ -1146,6 +1155,10 @@ class GroupTests(KDCBaseTest):
# Optional user SID to replace that in the PAC prior to a TGS-REQ. # Optional user SID to replace that in the PAC prior to a TGS-REQ.
tgs_user_sid = case.pop('tgs:user_sid', None) tgs_user_sid = case.pop('tgs:user_sid', None)
# User flags that may be set or reset in the PAC prior to a TGS-REQ.
tgs_set_user_flags = case.pop('tgs:set_user_flags', None)
tgs_reset_user_flags = case.pop('tgs:reset_user_flags', None)
# The SIDs we expect to see in the PAC after a AS-REQ or a TGS-REQ. # The SIDs we expect to see in the PAC after a AS-REQ or a TGS-REQ.
as_expected = case.pop('as:expected', None) as_expected = case.pop('as:expected', None)
tgs_expected = case.pop('tgs:expected', None) tgs_expected = case.pop('tgs:expected', None)
@ -1182,6 +1195,20 @@ class GroupTests(KDCBaseTest):
'specified TGS-REQ user SID, but no ' 'specified TGS-REQ user SID, but no '
'accompanying SIDs provided') 'accompanying SIDs provided')
if tgs_set_user_flags is None:
tgs_set_user_flags = 0
else:
self.assertIsNotNone(tgs_sids,
'specified TGS-REQ set user flags, but no '
'accompanying SIDs provided')
if tgs_reset_user_flags is None:
tgs_reset_user_flags = 0
else:
self.assertIsNotNone(tgs_sids,
'specified TGS-REQ reset user flags, but no '
'accompanying SIDs provided')
samdb = self.get_samdb() samdb = self.get_samdb()
domain_sid = samdb.get_domain_sid() domain_sid = samdb.get_domain_sid()
@ -1280,7 +1307,9 @@ class GroupTests(KDCBaseTest):
ticket = self.ticket_with_sids(ticket, ticket = self.ticket_with_sids(ticket,
tgs_sids_mapped, tgs_sids_mapped,
tgs_domain_sid, tgs_domain_sid,
tgs_user_rid) tgs_user_rid,
set_user_flags=tgs_set_user_flags,
reset_user_flags=tgs_reset_user_flags)
target_creds, sname = self.get_target(tgs_to_krbtgt, tgs_compression) target_creds, sname = self.get_target(tgs_to_krbtgt, tgs_compression)
decryption_key = self.TicketDecryptionKey_from_creds(target_creds) decryption_key = self.TicketDecryptionKey_from_creds(target_creds)
@ -1291,6 +1320,12 @@ class GroupTests(KDCBaseTest):
if tgs_to_krbtgt: if tgs_to_krbtgt:
requester_sid = user_sid requester_sid = user_sid
expect_resource_groups_flag = None
if tgs_reset_user_flags & netlogon.NETLOGON_RESOURCE_GROUPS:
expect_resource_groups_flag = False
elif tgs_set_user_flags & netlogon.NETLOGON_RESOURCE_GROUPS:
expect_resource_groups_flag = True
# Perform a TGS-REQ with the user account. # Perform a TGS-REQ with the user account.
kdc_exchange_dict = self.tgs_exchange_dict( kdc_exchange_dict = self.tgs_exchange_dict(
@ -1304,6 +1339,7 @@ class GroupTests(KDCBaseTest):
expected_requester_sid=requester_sid, expected_requester_sid=requester_sid,
expected_domain_sid=tgs_domain_sid, expected_domain_sid=tgs_domain_sid,
expected_supported_etypes=target_supported_etypes, expected_supported_etypes=target_supported_etypes,
expect_resource_groups_flag=expect_resource_groups_flag,
ticket_decryption_key=decryption_key, ticket_decryption_key=decryption_key,
check_rep_fn=self.generic_check_kdc_rep, check_rep_fn=self.generic_check_kdc_rep,
check_kdc_private_fn=self.generic_check_kdc_private, check_kdc_private_fn=self.generic_check_kdc_private,

32
python/samba/tests/krb5/raw_testcase.py
View File

@ -2505,6 +2505,7 @@ class RawKerberosTest(TestCaseInTempDir):
unexpected_client_claims=None, unexpected_client_claims=None,
expected_device_claims=None, expected_device_claims=None,
unexpected_device_claims=None, unexpected_device_claims=None,
expect_resource_groups_flag=None,
to_rodc=False): to_rodc=False):
if expected_error_mode == 0: if expected_error_mode == 0:
expected_error_mode = () expected_error_mode = ()
@ -2576,6 +2577,7 @@ class RawKerberosTest(TestCaseInTempDir):
'unexpected_client_claims': unexpected_client_claims, 'unexpected_client_claims': unexpected_client_claims,
'expected_device_claims': expected_device_claims, 'expected_device_claims': expected_device_claims,
'unexpected_device_claims': unexpected_device_claims, 'unexpected_device_claims': unexpected_device_claims,
'expect_resource_groups_flag': expect_resource_groups_flag,
'to_rodc': to_rodc 'to_rodc': to_rodc
} }
if callback_dict is None: if callback_dict is None:
@ -2644,6 +2646,7 @@ class RawKerberosTest(TestCaseInTempDir):
unexpected_client_claims=None, unexpected_client_claims=None,
expected_device_claims=None, expected_device_claims=None,
unexpected_device_claims=None, unexpected_device_claims=None,
expect_resource_groups_flag=None,
to_rodc=False): to_rodc=False):
if expected_error_mode == 0: if expected_error_mode == 0:
expected_error_mode = () expected_error_mode = ()
@ -2716,6 +2719,7 @@ class RawKerberosTest(TestCaseInTempDir):
'unexpected_client_claims': unexpected_client_claims, 'unexpected_client_claims': unexpected_client_claims,
'expected_device_claims': expected_device_claims, 'expected_device_claims': expected_device_claims,
'unexpected_device_claims': unexpected_device_claims, 'unexpected_device_claims': unexpected_device_claims,
'expect_resource_groups_flag': expect_resource_groups_flag,
'to_rodc': to_rodc 'to_rodc': to_rodc
} }
if callback_dict is None: if callback_dict is None:
@ -3233,11 +3237,26 @@ class RawKerberosTest(TestCaseInTempDir):
pac_sids.add(pac_sid) pac_sids.add(pac_sid)
# Collect the Resource SIDs. # Collect the Resource SIDs.
expect_resource_groups_flag = kdc_exchange_dict[
'expect_resource_groups_flag']
expect_set_reason = ''
expect_reset_reason = ''
if expect_resource_groups_flag is None:
expect_resource_groups_flag = (
resource_groups.groups.rids is not None)
expect_set_reason = 'resource groups present, but '
expect_reset_reason = 'no resource groups present, but '
if expect_resource_groups_flag:
self.assertTrue(
logon_info.user_flags & netlogon.NETLOGON_RESOURCE_GROUPS,
f'{expect_set_reason}RESOURCE_GROUPS flag unexpectedly reset')
else:
self.assertFalse(
logon_info.user_flags & netlogon.NETLOGON_RESOURCE_GROUPS,
f'{expect_reset_reason}RESOURCE_GROUPS flag unexpectedly set')
if resource_groups.groups.rids is not None: if resource_groups.groups.rids is not None:
self.assertTrue(logon_info.user_flags & (
netlogon.NETLOGON_RESOURCE_GROUPS),
'resource groups present, but RESOURCE_GROUPS '
'flag not set')
self.assertTrue(resource_groups.groups.rids, 'got empty RIDs') self.assertTrue(resource_groups.groups.rids, 'got empty RIDs')
resource_group_sid = resource_groups.domain_sid resource_group_sid = resource_groups.domain_sid
@ -3251,11 +3270,6 @@ class RawKerberosTest(TestCaseInTempDir):
resource_group.attributes) resource_group.attributes)
self.assertNotIn(pac_sid, pac_sids, 'got duplicated SID') self.assertNotIn(pac_sid, pac_sids, 'got duplicated SID')
pac_sids.add(pac_sid) pac_sids.add(pac_sid)
else:
self.assertFalse(logon_info.user_flags & (
netlogon.NETLOGON_RESOURCE_GROUPS),
'no resource groups present, but RESOURCE_GROUPS '
'flag set')
# Compare the aggregated SIDs against the set of expected SIDs. # Compare the aggregated SIDs against the set of expected SIDs.
if expected_groups is not None: if expected_groups is not None: